Fix SAN address collection from ansible_default_ipv{4,6} (#12505)

Signed-off-by: Hyeonki Hong <hhk7734@gmail.com>
Co-authored-by: Hyeonki Hong <hhk7734@gmail.com>

.github/workflows/upgrade-patch-versions-schedule.yml

@@ -8,6 +8,7 @@ on:
 permissions: {}
 jobs:
   get-releases-branches:
+    if: github.repository == 'kubernetes-sigs/kubespray'
     runs-on: ubuntu-latest
     outputs:
       branches: ${{ steps.get-branches.outputs.data }}

.gitlab-ci.yml

@@ -55,37 +55,9 @@ before_script:
   extends: .job
   needs:
     - pipeline-image
-    - ci-not-authorized
     - pre-commit            # lint
     - vagrant-validate      # lint
 
-# For failfast, at least 1 job must be defined in .gitlab-ci.yml
-# Premoderated with manual actions
-ci-not-authorized:
-  stage: build
-  before_script: []
-  after_script: []
-  rules:
-    # LGTM or ok-to-test labels
-    - if: $PR_LABELS =~ /.*,(lgtm|approved|ok-to-test).*|^(lgtm|approved|ok-to-test).*/i
-      variables:
-        CI_OK_TO_TEST: '0'
-      when: always
-    - if: $CI_PIPELINE_SOURCE == "schedule" || $CI_PIPELINE_SOURCE == "trigger"
-      variables:
-        CI_OK_TO_TEST: '0'
-    - if: $CI_COMMIT_BRANCH == "master"
-      variables:
-        CI_OK_TO_TEST: '0'
-    - when: always
-      variables:
-        CI_OK_TO_TEST: '1'
-  script:
-    - exit $CI_OK_TO_TEST
-  tags:
-    - ffci
-  needs: []
-
 include:
   - .gitlab-ci/build.yml
   - .gitlab-ci/lint.yml

.gitlab-ci/kubevirt.yml

@@ -12,10 +12,9 @@
     - ffci
   needs:
     - pipeline-image
-    - ci-not-authorized
 
 # TODO: generate testcases matrixes from the files in tests/files/
-# this is needed to avoid the need for PR rebasing when a job was added or remvoed in the target branch
+# this is needed to avoid the need for PR rebasing when a job was added or removed in the target branch
 # (currently, a removed job in the target branch breaks the tests, because the
 # pipeline definition is parsed by gitlab before the rebase.sh script)
 # CI template for PRs
@@ -27,6 +26,8 @@ pr:
       allow_failure: true
     - if: $CI_COMMIT_BRANCH =~ /^pr-.*$/
       when: on_success
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "daily-ci"
+      when: on_success
     - when: manual
       allow_failure: true
   extends: .kubevirt
@@ -53,6 +54,7 @@ pr:
           - ubuntu22-calico-all-in-one
           - ubuntu22-calico-all-in-one-upgrade
           - ubuntu24-calico-etcd-datastore
+          - ubuntu24-ha-separate-etcd
 
 # The ubuntu20-calico-all-in-one jobs are meant as early stages to prevent running the full CI if something is horribly broken
 ubuntu20-calico-all-in-one:
@@ -63,6 +65,8 @@ ubuntu20-calico-all-in-one:
   rules:
     - if: $CI_COMMIT_BRANCH =~ /^pr-.*$/
       when: on_success
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "daily-ci"
+      when: on_success
     - when: manual
       allow_failure: true
 
@@ -72,6 +76,8 @@ pr_full:
   rules:
     - if: $PR_LABELS =~ /.*ci-full.*/
       when: on_success
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "daily-ci"
+      when: on_success
     # Else run as manual
     - when: manual
       allow_failure: true
@@ -108,6 +114,8 @@ pr_extended:
   rules:
     - if: $PR_LABELS =~ /.*(ci-extended|ci-full).*/
       when: on_success
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "daily-ci"
+      when: on_success
     - when: manual
       allow_failure: true
   parallel:
@@ -127,13 +135,13 @@ pr_extended:
           - ubuntu24-all-in-one-docker
           - ubuntu24-calico-all-in-one
 
-# Enabled when PERIODIC_CI_ENABLED var is set
+# TODO: migrate to pr-full, fix the broken ones
 periodic:
-  only:
-    variables:
-      - $PERIODIC_CI_ENABLED
   allow_failure: true
   extends: .kubevirt
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "daily-ci"
+      when: on_success
   parallel:
     matrix:
       - TESTCASE:

.gitlab-ci/molecule.yml

@@ -1,17 +1,24 @@
 ---
 .molecule:
   tags: [ffci]
-  only: [/^pr-.*$/]
-  except: ['triggers']
+  rules: # run on ci-short as well
+  - if: $CI_COMMIT_BRANCH =~ /^pr-.*$/
+    when: on_success
+  - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "daily-ci"
+    when: on_success
+  - when: manual
+    allow_failure: true
   stage: deploy-part1
   image: $PIPELINE_IMAGE
   needs:
   - pipeline-image
-  # - ci-not-authorized
   script:
   - ./tests/scripts/molecule_run.sh
   after_script:
-  - ./tests/scripts/molecule_logs.sh
+  - rm -fr molecule_logs
+  - mkdir -p molecule_logs
+  - find ~/.cache/molecule/ \( -name '*.out' -o -name '*.err' \) -type f | xargs tar -uf molecule_logs/molecule.tar
+  - gzip molecule_logs/molecule.tar
   artifacts:
     when: always
     paths:
@@ -29,25 +36,19 @@ molecule:
       - container-engine/cri-o
       - adduser
       - bastion-ssh-config
-      - bootstrap-os
+      - bootstrap_os
 
-# CI template for periodic CI jobs
-# Enabled when PERIODIC_CI_ENABLED var is set
 molecule_full:
-  only:
-    variables:
-    - $PERIODIC_CI_ENABLED
   allow_failure: true
+  rules:
+  - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "daily-ci"
+    when: on_success
+  - when: manual
+    allow_failure: true
   extends: molecule
   parallel:
     matrix:
     - ROLE:
-      - container-engine/cri-dockerd
-      - container-engine/containerd
-      - container-engine/cri-o
-      - adduser
-      - bastion-ssh-config
-      - bootstrap-os
       # FIXME : tests below are perma-failing
       - container-engine/kata-containers
       - container-engine/gvisor

.gitlab-ci/terraform.yml

@@ -3,7 +3,6 @@
 .terraform_install:
   extends: .job
   needs:
-    - ci-not-authorized
     - pipeline-image
   variables:
     TF_VAR_public_key_path: "${ANSIBLE_PRIVATE_KEY_FILE}.pub"
@@ -33,7 +32,6 @@ terraform_validate:
     matrix:
       - PROVIDER:
           - openstack
-          - equinix
           - aws
           - exoscale
           - hetzner

.gitlab-ci/vagrant.yml

@@ -1,8 +1,6 @@
 ---
 vagrant:
   extends: .job-moderated
-  needs:
-    - ci-not-authorized
   variables:
     CI_PLATFORM: "vagrant"
     SSH_USER: "vagrant"
@@ -13,8 +11,6 @@ vagrant:
     VAGRANT_HOME: "$CI_PROJECT_DIR/.vagrant.d"
     PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
   tags: [ffci-vm-large]
-  # only: [/^pr-.*$/]
-  # except: ['triggers']
   image: quay.io/kubespray/vm-kubespray-ci:v13
   services: []
   before_script:
@@ -42,6 +38,8 @@ vagrant:
   rules:
     - if: $PR_LABELS =~ /.*(ci-extended|ci-full).*/
       when: on_success
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_PIPELINE_SCHEDULE_DESCRIPTION == "daily-ci"
+      when: on_success
   parallel:
     matrix:
       - TESTCASE:

Dockerfile

@@ -35,8 +35,8 @@ RUN --mount=type=bind,source=requirements.txt,target=requirements.txt \
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN OS_ARCHITECTURE=$(dpkg --print-architecture) \
-    && curl -L "https://dl.k8s.io/release/v1.32.3/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
-    && echo "$(curl -L "https://dl.k8s.io/release/v1.32.3/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L "https://dl.k8s.io/release/v1.32.8/bin/linux/${OS_ARCHITECTURE}/kubectl" -o /usr/local/bin/kubectl \
+    && echo "$(curl -L "https://dl.k8s.io/release/v1.32.8/bin/linux/${OS_ARCHITECTURE}/kubectl.sha256")" /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl
 
 COPY *.yml ./

OWNERS_ALIASES

@@ -1,13 +1,10 @@
 aliases:
   kubespray-approvers:
-    - cristicalin
-    - floryut
-    - liupeng0518
-    - mzaian
-    - oomichi
-    - yankay
     - ant31
+    - mzaian
+    - tico88612
     - vannten
+    - yankay
   kubespray-reviewers:
     - cyclinder
     - erikjiang
@@ -19,8 +16,12 @@ aliases:
   kubespray-emeritus_approvers:
     - atoms
     - chadswen
+    - cristicalin
+    - floryut
+    - liupeng0518
     - luckysb
     - mattymo
     - miouge1
+    - oomichi
     - riverzhang
     - woopstar

README.md

@@ -111,15 +111,15 @@ Note:
 <!-- BEGIN ANSIBLE MANAGED BLOCK -->
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.32.3
-  - [etcd](https://github.com/etcd-io/etcd) 3.5.16
+  - [kubernetes](https://github.com/kubernetes/kubernetes) 1.32.8
+  - [etcd](https://github.com/etcd-io/etcd) 3.5.22
   - [docker](https://www.docker.com/) 28.0
-  - [containerd](https://containerd.io/) 2.0.3
+  - [containerd](https://containerd.io/) 2.0.6
   - [cri-o](http://cri-o.io/) 1.32.0 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) 1.4.1
-  - [calico](https://github.com/projectcalico/calico) 3.29.2
-  - [cilium](https://github.com/cilium/cilium) 1.15.9
+  - [calico](https://github.com/projectcalico/calico) 3.29.5
+  - [cilium](https://github.com/cilium/cilium) 1.17.7
   - [flannel](https://github.com/flannel-io/flannel) 0.22.0
   - [kube-ovn](https://github.com/alauda/kube-ovn) 1.12.21
   - [kube-router](https://github.com/cloudnativelabs/kube-router) 2.1.1

contrib/offline/README.md

@@ -31,7 +31,7 @@ manage-offline-container-images.sh   register
 
 ## generate_list.sh
 
-This script generates the list of downloaded files and the list of container images by `roles/kubespray-defaults/defaults/main/download.yml` file.
+This script generates the list of downloaded files and the list of container images by `roles/kubespray_defaults/defaults/main/download.yml` file.
 
 Run this script will execute `generate_list.yml` playbook in kubespray root directory and generate four files,
 all downloaded files url in files.list, all container images in images.list, jinja2 templates in *.template.

contrib/offline/generate_list.sh

@@ -5,7 +5,7 @@ CURRENT_DIR=$(cd $(dirname $0); pwd)
 TEMP_DIR="${CURRENT_DIR}/temp"
 REPO_ROOT_DIR="${CURRENT_DIR%/contrib/offline}"
 
-: ${DOWNLOAD_YML:="roles/kubespray-defaults/defaults/main/download.yml"}
+: ${DOWNLOAD_YML:="roles/kubespray_defaults/defaults/main/download.yml"}
 
 mkdir -p ${TEMP_DIR}
 
@@ -19,7 +19,7 @@ sed -n '/^downloads:/,/download_defaults:/p' ${REPO_ROOT_DIR}/${DOWNLOAD_YML} \
     | sed 'N;s#\n# #g' | tr ' ' ':' | sed 's/\"//g' > ${TEMP_DIR}/images.list.template
 
 # add kube-* images to images list template
-# Those container images are downloaded by kubeadm, then roles/kubespray-defaults/defaults/main/download.yml
+# Those container images are downloaded by kubeadm, then roles/kubespray_defaults/defaults/main/download.yml
 # doesn't contain those images. That is reason why here needs to put those images into the
 # list separately.
 KUBE_IMAGES="kube-apiserver kube-controller-manager kube-scheduler kube-proxy"

contrib/offline/generate_list.yml

@@ -5,7 +5,7 @@
 
   roles:
     # Just load default variables from roles.
-    - role: kubespray-defaults
+    - role: kubespray_defaults
       when: false
     - role: download
       when: false

contrib/offline/manage-offline-container-images.sh

@@ -127,7 +127,7 @@ function register_container_images() {
 
 	tar -zxvf ${IMAGE_TAR_FILE}
 
-	if [ "${create_registry}" ]; then
+	if ${create_registry}; then
 		sudo ${runtime} load -i ${IMAGE_DIR}/registry-latest.tar
 		set +e
 
@@ -148,7 +148,7 @@ function register_container_images() {
 		if [ "${org_image}" == "ID:" ]; then
 		  org_image=$(echo "${load_image}"  | awk '{print $4}')
 		fi
-		image_id=$(sudo ${runtime} image inspect ${org_image} | grep "\"Id\":" | awk -F: '{print $3}'| sed s/'\",'//)
+		image_id=$(sudo ${runtime} image inspect --format "{{.Id}}" "${org_image}")
 		if [ -z "${file_name}" ]; then
 			echo "Failed to get file_name for line ${line}"
 			exit 1

contrib/terraform/aws/create-infrastructure.tf

@@ -1,5 +1,11 @@
 terraform {
   required_version = ">= 0.12.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
 }
 
 provider "aws" {

contrib/terraform/equinix/README.md

@@ -1,246 +0,0 @@
-# Kubernetes on Equinix Metal with Terraform
-
-Provision a Kubernetes cluster with [Terraform](https://www.terraform.io) on
-[Equinix Metal](https://metal.equinix.com) ([formerly Packet](https://blog.equinix.com/blog/2020/10/06/equinix-metal-metal-and-more/)).
-
-## Status
-
-This will install a Kubernetes cluster on Equinix Metal. It should work in all locations and on most server types.
-
-## Approach
-
-The terraform configuration inspects variables found in
-[variables.tf](variables.tf) to create resources in your Equinix Metal project.
-There is a [python script](../terraform.py) that reads the generated`.tfstate`
-file to generate a dynamic inventory that is consumed by [cluster.yml](../../../cluster.yml)
-to actually install Kubernetes with Kubespray.
-
-### Kubernetes Nodes
-
-You can create many different kubernetes topologies by setting the number of
-different classes of hosts.
-
-- Master nodes with etcd: `number_of_k8s_masters` variable
-- Master nodes without etcd: `number_of_k8s_masters_no_etcd` variable
-- Standalone etcd hosts: `number_of_etcd` variable
-- Kubernetes worker nodes: `number_of_k8s_nodes` variable
-
-Note that the Ansible script will report an invalid configuration if you wind up
-with an *even number* of etcd instances since that is not a valid configuration. This
-restriction includes standalone etcd nodes that are deployed in a cluster along with
-master nodes with etcd replicas. As an example, if you have three master nodes with
-etcd replicas and three standalone etcd nodes, the script will fail since there are
-now six total etcd replicas.
-
-## Requirements
-
-- [Install Terraform](https://www.terraform.io/intro/getting-started/install.html)
-- [Install Ansible dependencies](/docs/ansible/ansible.md#installing-ansible)
-- Account with Equinix Metal
-- An SSH key pair
-
-## SSH Key Setup
-
-An SSH keypair is required so Ansible can access the newly provisioned nodes (Equinix Metal hosts). By default, the public SSH key defined in cluster.tfvars will be installed in authorized_key on the newly provisioned nodes (~/.ssh/id_rsa.pub). Terraform will upload this public key and then it will be distributed out to all the nodes. If you have already set this public key in Equinix Metal (i.e. via the portal), then set the public keyfile name in cluster.tfvars to blank to prevent the duplicate key from being uploaded which will cause an error.
-
-If you don't already have a keypair generated (~/.ssh/id_rsa and ~/.ssh/id_rsa.pub), then a new keypair can be generated with the command:
-
-```ShellSession
-ssh-keygen -f ~/.ssh/id_rsa
-```
-
-## Terraform
-
-Terraform will be used to provision all of the Equinix Metal resources with base software as appropriate.
-
-### Configuration
-
-#### Inventory files
-
-Create an inventory directory for your cluster by copying the existing sample and linking the `hosts` script (used to build the inventory based on Terraform state):
-
-```ShellSession
-cp -LRp contrib/terraform/equinix/sample-inventory inventory/$CLUSTER
-cd inventory/$CLUSTER
-ln -s ../../contrib/terraform/equinix/hosts
-```
-
-This will be the base for subsequent Terraform commands.
-
-#### Equinix Metal API access
-
-Your Equinix Metal API key must be available in the `METAL_AUTH_TOKEN` environment variable.
-This key is typically stored outside of the code repo since it is considered secret.
-If someone gets this key, they can startup/shutdown hosts in your project!
-
-For more information on how to generate an API key or find your project ID, please see
-[Accounts Index](https://metal.equinix.com/developers/docs/accounts/).
-
-The Equinix Metal Project ID associated with the key will be set later in `cluster.tfvars`.
-
-For more information about the API, please see [Equinix Metal API](https://metal.equinix.com/developers/api/).
-
-For more information about terraform provider authentication, please see [the equinix provider documentation](https://registry.terraform.io/providers/equinix/equinix/latest/docs).
-
-Example:
-
-```ShellSession
-export METAL_AUTH_TOKEN="Example-API-Token"
-```
-
-Note that to deploy several clusters within the same project you need to use [terraform workspace](https://www.terraform.io/docs/state/workspaces.html#using-workspaces).
-
-#### Cluster variables
-
-The construction of the cluster is driven by values found in
-[variables.tf](variables.tf).
-
-For your cluster, edit `inventory/$CLUSTER/cluster.tfvars`.
-
-The `cluster_name` is used to set a tag on each server deployed as part of this cluster.
-This helps when identifying which hosts are associated with each cluster.
-
-While the defaults in variables.tf will successfully deploy a cluster, it is recommended to set the following values:
-
-- cluster_name = the name of the inventory directory created above as $CLUSTER
-- equinix_metal_project_id = the Equinix Metal Project ID associated with the Equinix Metal API token above
-
-#### Enable localhost access
-
-Kubespray will pull down a Kubernetes configuration file to access this cluster by enabling the
-`kubeconfig_localhost: true` in the Kubespray configuration.
-
-Edit `inventory/$CLUSTER/group_vars/k8s_cluster/k8s_cluster.yml` and comment back in the following line and change from `false` to `true`:
-`\# kubeconfig_localhost: false`
-becomes:
-`kubeconfig_localhost: true`
-
-Once the Kubespray playbooks are run, a Kubernetes configuration file will be written to the local host at `inventory/$CLUSTER/artifacts/admin.conf`
-
-#### Terraform state files
-
-In the cluster's inventory folder, the following files might be created (either by Terraform
-or manually), to prevent you from pushing them accidentally they are in a
-`.gitignore` file in the `contrib/terraform/equinix` directory :
-
-- `.terraform`
-- `.tfvars`
-- `.tfstate`
-- `.tfstate.backup`
-- `.lock.hcl`
-
-You can still add them manually if you want to.
-
-### Initialization
-
-Before Terraform can operate on your cluster you need to install the required
-plugins. This is accomplished as follows:
-
-```ShellSession
-cd inventory/$CLUSTER
-terraform -chdir=../../contrib/terraform/metal init -var-file=cluster.tfvars
-```
-
-This should finish fairly quickly telling you Terraform has successfully initialized and loaded necessary modules.
-
-### Provisioning cluster
-
-You can apply the Terraform configuration to your cluster with the following command
-issued from your cluster's inventory directory (`inventory/$CLUSTER`):
-
-```ShellSession
-terraform -chdir=../../contrib/terraform/equinix apply -var-file=cluster.tfvars
-export ANSIBLE_HOST_KEY_CHECKING=False
-ansible-playbook -i hosts ../../cluster.yml
-```
-
-### Destroying cluster
-
-You can destroy your new cluster with the following command issued from the cluster's inventory directory:
-
-```ShellSession
-terraform -chdir=../../contrib/terraform/equinix destroy -var-file=cluster.tfvars
-```
-
-If you've started the Ansible run, it may also be a good idea to do some manual cleanup:
-
-- Remove SSH keys from the destroyed cluster from your `~/.ssh/known_hosts` file
-- Clean up any temporary cache files: `rm /tmp/$CLUSTER-*`
-
-### Debugging
-
-You can enable debugging output from Terraform by setting `TF_LOG` to `DEBUG` before running the Terraform command.
-
-## Ansible
-
-### Node access
-
-#### SSH
-
-Ensure your local ssh-agent is running and your ssh key has been added. This
-step is required by the terraform provisioner:
-
-```ShellSession
-eval $(ssh-agent -s)
-ssh-add ~/.ssh/id_rsa
-```
-
-If you have deployed and destroyed a previous iteration of your cluster, you will need to clear out any stale keys from your SSH "known hosts" file ( `~/.ssh/known_hosts`).
-
-#### Test access
-
-Make sure you can connect to the hosts.  Note that Flatcar Container Linux by Kinvolk will have a state `FAILED` due to Python not being present.  This is okay, because Python will be installed during bootstrapping, so long as the hosts are not `UNREACHABLE`.
-
-```ShellSession
-$ ansible -i inventory/$CLUSTER/hosts -m ping all
-example-k8s_node-1 | SUCCESS => {
-    "changed": false,
-    "ping": "pong"
-}
-example-etcd-1 | SUCCESS => {
-    "changed": false,
-    "ping": "pong"
-}
-example-k8s-master-1 | SUCCESS => {
-    "changed": false,
-    "ping": "pong"
-}
-```
-
-If it fails try to connect manually via SSH.  It could be something as simple as a stale host key.
-
-### Deploy Kubernetes
-
-```ShellSession
-ansible-playbook --become -i inventory/$CLUSTER/hosts cluster.yml
-```
-
-This will take some time as there are many tasks to run.
-
-## Kubernetes
-
-### Set up kubectl
-
-- [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on the localhost.
-- Verify that Kubectl runs correctly
-
-```ShellSession
-kubectl version
-```
-
-- Verify that the Kubernetes configuration file has been copied over
-
-```ShellSession
-cat inventory/alpha/$CLUSTER/admin.conf
-```
-
-- Verify that all the nodes are running correctly.
-
-```ShellSession
-kubectl version
-kubectl --kubeconfig=inventory/$CLUSTER/artifacts/admin.conf  get nodes
-```
-
-## What's next
-
-Try out your new Kubernetes cluster with the [Hello Kubernetes service](https://kubernetes.io/docs/tasks/access-application-cluster/service-access-application-cluster/).

contrib/terraform/equinix/hosts

@@ -1 +0,0 @@
-../terraform.py

contrib/terraform/equinix/kubespray.tf

@@ -1,57 +0,0 @@
-resource "equinix_metal_ssh_key" "k8s" {
-  count      = var.public_key_path != "" ? 1 : 0
-  name       = "kubernetes-${var.cluster_name}"
-  public_key = chomp(file(var.public_key_path))
-}
-
-resource "equinix_metal_device" "k8s_master" {
-  depends_on = [equinix_metal_ssh_key.k8s]
-
-  count            = var.number_of_k8s_masters
-  hostname         = "${var.cluster_name}-k8s-master-${count.index + 1}"
-  plan             = var.plan_k8s_masters
-  metro            = var.metro
-  operating_system = var.operating_system
-  billing_cycle    = var.billing_cycle
-  project_id       = var.equinix_metal_project_id
-  tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_control_plane", "etcd", "kube_node"]
-}
-
-resource "equinix_metal_device" "k8s_master_no_etcd" {
-  depends_on = [equinix_metal_ssh_key.k8s]
-
-  count            = var.number_of_k8s_masters_no_etcd
-  hostname         = "${var.cluster_name}-k8s-master-${count.index + 1}"
-  plan             = var.plan_k8s_masters_no_etcd
-  metro            = var.metro
-  operating_system = var.operating_system
-  billing_cycle    = var.billing_cycle
-  project_id       = var.equinix_metal_project_id
-  tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_control_plane"]
-}
-
-resource "equinix_metal_device" "k8s_etcd" {
-  depends_on = [equinix_metal_ssh_key.k8s]
-
-  count            = var.number_of_etcd
-  hostname         = "${var.cluster_name}-etcd-${count.index + 1}"
-  plan             = var.plan_etcd
-  metro            = var.metro
-  operating_system = var.operating_system
-  billing_cycle    = var.billing_cycle
-  project_id       = var.equinix_metal_project_id
-  tags             = ["cluster-${var.cluster_name}", "etcd"]
-}
-
-resource "equinix_metal_device" "k8s_node" {
-  depends_on = [equinix_metal_ssh_key.k8s]
-
-  count            = var.number_of_k8s_nodes
-  hostname         = "${var.cluster_name}-k8s-node-${count.index + 1}"
-  plan             = var.plan_k8s_nodes
-  metro            = var.metro
-  operating_system = var.operating_system
-  billing_cycle    = var.billing_cycle
-  project_id       = var.equinix_metal_project_id
-  tags             = ["cluster-${var.cluster_name}", "k8s_cluster", "kube_node"]
-}

contrib/terraform/equinix/output.tf

@@ -1,15 +0,0 @@
-output "k8s_masters" {
-  value = equinix_metal_device.k8s_master.*.access_public_ipv4
-}
-
-output "k8s_masters_no_etc" {
-  value = equinix_metal_device.k8s_master_no_etcd.*.access_public_ipv4
-}
-
-output "k8s_etcds" {
-  value = equinix_metal_device.k8s_etcd.*.access_public_ipv4
-}
-
-output "k8s_nodes" {
-  value = equinix_metal_device.k8s_node.*.access_public_ipv4
-}

contrib/terraform/equinix/provider.tf

@@ -1,17 +0,0 @@
-terraform {
-  required_version = ">= 1.0.0"
-
-  provider_meta "equinix" {
-    module_name = "kubespray"
-  }
-  required_providers {
-    equinix = {
-      source  = "equinix/equinix"
-      version = "1.24.0"
-    }
-  }
-}
-
-# Configure the Equinix Metal Provider
-provider "equinix" {
-}

contrib/terraform/equinix/sample-inventory/cluster.tfvars

@@ -1,35 +0,0 @@
-# your Kubernetes cluster name here
-cluster_name = "mycluster"
-
-# Your Equinix Metal project ID. See https://metal.equinix.com/developers/docs/accounts/
-equinix_metal_project_id = "Example-Project-Id"
-
-# The public SSH key to be uploaded into authorized_keys in bare metal Equinix Metal nodes provisioned
-# leave this value blank if the public key is already setup in the Equinix Metal project
-# Terraform will complain if the public key is setup in Equinix Metal
-public_key_path = "~/.ssh/id_rsa.pub"
-
-# Equinix interconnected bare metal across our global metros.
-metro = "da"
-
-# operating_system
-operating_system = "ubuntu_22_04"
-
-# standalone etcds
-number_of_etcd = 0
-
-plan_etcd = "t1.small.x86"
-
-# masters
-number_of_k8s_masters = 1
-
-number_of_k8s_masters_no_etcd = 0
-
-plan_k8s_masters = "t1.small.x86"
-
-plan_k8s_masters_no_etcd = "t1.small.x86"
-
-# nodes
-number_of_k8s_nodes = 2
-
-plan_k8s_nodes = "t1.small.x86"

contrib/terraform/equinix/sample-inventory/group_vars

@@ -1 +0,0 @@
-../../../../inventory/sample/group_vars

contrib/terraform/equinix/variables.tf

@@ -1,56 +0,0 @@
-variable "cluster_name" {
-  default = "kubespray"
-}
-
-variable "equinix_metal_project_id" {
-  description = "Your Equinix Metal project ID. See https://metal.equinix.com/developers/docs/accounts/"
-}
-
-variable "operating_system" {
-  default = "ubuntu_22_04"
-}
-
-variable "public_key_path" {
-  description = "The path of the ssh pub key"
-  default     = "~/.ssh/id_rsa.pub"
-}
-
-variable "billing_cycle" {
-  default = "hourly"
-}
-
-variable "metro" {
-  default = "da"
-}
-
-variable "plan_k8s_masters" {
-  default = "c3.small.x86"
-}
-
-variable "plan_k8s_masters_no_etcd" {
-  default = "c3.small.x86"
-}
-
-variable "plan_etcd" {
-  default = "c3.small.x86"
-}
-
-variable "plan_k8s_nodes" {
-  default = "c3.medium.x86"
-}
-
-variable "number_of_k8s_masters" {
-  default = 1
-}
-
-variable "number_of_k8s_masters_no_etcd" {
-  default = 0
-}
-
-variable "number_of_etcd" {
-  default = 0
-}
-
-variable "number_of_k8s_nodes" {
-  default = 1
-}

docs/CNI/cilium.md

@@ -54,6 +54,10 @@ cilium_loadbalancer_ip_pools:
   - name: "blue-pool"
     cidrs:
       - "10.0.10.0/24"
+    ranges:
+      - start: "20.0.20.100"
+        stop: "20.0.20.200"
+      - start: "1.2.3.4"
 ```
 
 For further information, check [LB IPAM documentation](https://docs.cilium.io/en/stable/network/lb-ipam/)
@@ -233,7 +237,7 @@ cilium_operator_extra_volume_mounts:
 ## Choose Cilium version
 
 ```yml
-cilium_version: "1.15.9"
+cilium_version: "1.17.7"
 ```
 
 ## Add variable to config

docs/CRI/containerd.md

@@ -68,8 +68,8 @@ containerd_runc_runtime:
   engine: ""
   root: ""
   options:
-    systemdCgroup: "false"
-    binaryName: /usr/local/bin/my-runc
+    SystemdCgroup: "false"
+    BinaryName: /usr/local/bin/my-runc
   base_runtime_spec: cri-base.json
 ```
 

docs/_sidebar.md

@@ -23,7 +23,6 @@
   * [Aws](/docs/cloud_providers/aws.md)
   * [Azure](/docs/cloud_providers/azure.md)
   * [Cloud](/docs/cloud_providers/cloud.md)
-  * [Equinix-metal](/docs/cloud_providers/equinix-metal.md)
 * CNI
   * [Calico](/docs/CNI/calico.md)
   * [Cilium](/docs/CNI/cilium.md)

docs/advanced/proxy.md

@@ -1,6 +1,6 @@
 # Setting up Environment Proxy
 
-If you set http and https proxy, all nodes and loadbalancer will be excluded from proxy with generating no_proxy variable in `roles/kubespray-defaults/tasks/no_proxy.yml`, if you have additional resources for exclude add them to `additional_no_proxy` variable. If you want fully override your `no_proxy` setting, then fill in just `no_proxy` and no nodes or loadbalancer addresses will be added to no_proxy.
+If you set http and https proxy, all nodes and loadbalancer will be excluded from proxy with generating no_proxy variable in `roles/kubespray_defaults/tasks/no_proxy.yml`, if you have additional resources for exclude add them to `additional_no_proxy` variable. If you want fully override your `no_proxy` setting, then fill in just `no_proxy` and no nodes or loadbalancer addresses will be added to no_proxy.
 
 ## Set proxy for http and https
 

docs/ansible/ansible.md

@@ -62,7 +62,7 @@ The following tags are defined in playbooks:
 | aws-ebs-csi-driver             | Configuring csi driver: aws-ebs                       |
 | azure-csi-driver               | Configuring csi driver: azure                         |
 | bastion                        | Setup ssh config for bastion                          |
-| bootstrap-os                   | Anything related to host OS configuration             |
+| bootstrap_os                   | Anything related to host OS configuration             |
 | calico                         | Network plugin Calico                                 |
 | calico_rr                      | Configuring Calico route reflector                    |
 | cert-manager                   | Configuring certificate manager for K8s               |
@@ -167,7 +167,7 @@ Example command to filter and apply only DNS configuration tasks and skip
 everything else related to host OS configuration and downloading images of containers:
 
 ```ShellSession
-ansible-playbook -i inventory/sample/hosts.ini cluster.yml --tags preinstall,facts --skip-tags=download,bootstrap-os
+ansible-playbook -i inventory/sample/hosts.ini cluster.yml --tags preinstall,facts --skip-tags=download,bootstrap_os
 ```
 
 And this play only removes the K8s cluster DNS resolver IP from hosts' /etc/resolv.conf files:

docs/ansible/vars.md

@@ -180,7 +180,7 @@ and ``kube_pods_subnet``, for example from the ``172.18.0.0/16``.
 
 IPv4 stack enable by *ipv4_stack* is set to ``true``, by default.
 IPv6 stack enable by *ipv6_stack* is set to ``false`` by default.
-This will use the default IPv4 and IPv6 subnets specified in the defaults file in the ``kubespray-defaults`` role, unless overridden of course. The default config will give you room for up to 256 nodes with 126 pods per node, and up to 4096 services.
+This will use the default IPv4 and IPv6 subnets specified in the defaults file in the ``kubespray_defaults`` role, unless overridden of course. The default config will give you room for up to 256 nodes with 126 pods per node, and up to 4096 services.
 Set both variables to ``true`` for Dual Stack mode.
 IPv4 has higher priority in Dual Stack mode(e.g. in variables `main_ip`, `main_access_ip` and other).
 You can also make IPv6 only clusters with ``false`` in *ipv4_stack*.

docs/cloud_providers/equinix-metal.md

@@ -1,100 +0,0 @@
-# Equinix Metal
-
-Kubespray provides support for bare metal deployments using the [Equinix Metal](http://metal.equinix.com).
-Deploying upon bare metal allows Kubernetes to run at locations where an existing public or private cloud might not exist such
-as cell tower, edge collocated installations. The deployment mechanism used by Kubespray for Equinix Metal is similar to that used for
-AWS and OpenStack clouds (notably using Terraform to deploy the infrastructure). Terraform uses the Equinix Metal provider plugin
-to provision and configure hosts which are then used by the Kubespray Ansible playbooks. The Ansible inventory is generated
-dynamically from the Terraform state file.
-
-## Local Host Configuration
-
-To perform this installation, you will need a localhost to run Terraform/Ansible (laptop, VM, etc) and an account with Equinix Metal.
-In this example, we are provisioning a m1.large CentOS7 OpenStack VM as the localhost for the Kubernetes installation.
-You'll need Ansible, Git, and PIP.
-
-```bash
-sudo yum install epel-release
-sudo yum install ansible
-sudo yum install git
-sudo yum install python-pip
-```
-
-## Playbook SSH Key
-
-An SSH key is needed by Kubespray/Ansible to run the playbooks.
-This key is installed into the bare metal hosts during the Terraform deployment.
-You can generate a key new key or use an existing one.
-
-```bash
-ssh-keygen -f ~/.ssh/id_rsa
-```
-
-## Install Terraform
-
-Terraform is required to deploy the bare metal infrastructure. The steps below are for installing on CentOS 7.
-[More terraform installation options are available.](https://learn.hashicorp.com/terraform/getting-started/install.html)
-
-Grab the latest version of Terraform and install it.
-
-```bash
-echo "https://releases.hashicorp.com/terraform/$(curl -s https://checkpoint-api.hashicorp.com/v1/check/terraform | jq -r -M '.current_version')/terraform_$(curl -s https://checkpoint-api.hashicorp.com/v1/check/terraform | jq -r -M '.current_version')_linux_amd64.zip"
-sudo yum install unzip
-sudo unzip terraform_0.14.10_linux_amd64.zip -d /usr/local/bin/
-```
-
-## Download Kubespray
-
-Pull over Kubespray and setup any required libraries.
-
-```bash
-git clone https://github.com/kubernetes-sigs/kubespray
-cd kubespray
-```
-
-## Install Ansible
-
-Install Ansible according to [Ansible installation guide](/docs/ansible/ansible.md#installing-ansible)
-
-## Cluster Definition
-
-In this example, a new cluster called "alpha" will be created.
-
-```bash
-cp -LRp contrib/terraform/packet/sample-inventory inventory/alpha
-cd inventory/alpha/
-ln -s ../../contrib/terraform/packet/hosts
-```
-
-Details about the cluster, such as the name, as well as the authentication tokens and project ID
-for Equinix Metal need to be defined. To find these values see [Equinix Metal API Accounts](https://metal.equinix.com/developers/docs/accounts/).
-
-```bash
-vi cluster.tfvars
-```
-
-* cluster_name = alpha
-* packet_project_id = ABCDEFGHIJKLMNOPQRSTUVWXYZ123456
-* public_key_path = 12345678-90AB-CDEF-GHIJ-KLMNOPQRSTUV
-
-## Deploy Bare Metal Hosts
-
-Initializing Terraform will pull down any necessary plugins/providers.
-
-```bash
-terraform init ../../contrib/terraform/packet/
-```
-
-Run Terraform to deploy the hardware.
-
-```bash
-terraform apply -var-file=cluster.tfvars ../../contrib/terraform/packet
-```
-
-## Run Kubespray Playbooks
-
-With the bare metal infrastructure deployed, Kubespray can now install Kubernetes and setup the cluster.
-
-```bash
-ansible-playbook --become -i inventory/alpha/hosts cluster.yml
-```

docs/operating_systems/bootstrap-os.md

@@ -1,4 +1,4 @@
-# bootstrap-os
+# bootstrap_os
 
 Bootstrap an Ansible host to be able to run Ansible modules.
 
@@ -48,8 +48,8 @@ Remember to disable fact gathering since Python might not be present on hosts.
 - hosts: all
   gather_facts: false  # not all hosts might be able to run modules yet
   roles:
-    - kubespray-defaults
-    - bootstrap-os
+    - kubespray_defaults
+    - bootstrap_os
 ```
 
 ## License

docs/operations/offline-environment.md

@@ -75,17 +75,17 @@ quay_image_repo: "{{ registry_host }}"
 github_image_repo: "{{ registry_host }}"
 
 local_path_provisioner_helper_image_repo: "{{ registry_host }}/busybox"
-kubeadm_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubeadm"
-kubectl_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubectl"
-kubelet_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubelet"
+kubeadm_download_url: "{{ files_repo }}/kubernetes/v{{ kube_version }}/kubeadm"
+kubectl_download_url: "{{ files_repo }}/kubernetes/v{{ kube_version }}/kubectl"
+kubelet_download_url: "{{ files_repo }}/kubernetes/v{{ kube_version }}/kubelet"
 # etcd is optional if you **DON'T** use etcd_deployment=host
-etcd_download_url: "{{ files_repo }}/kubernetes/etcd/etcd-{{ etcd_version }}-linux-{{ image_arch }}.tar.gz"
-cni_download_url: "{{ files_repo }}/kubernetes/cni/cni-plugins-linux-{{ image_arch }}-{{ cni_version }}.tgz"
-crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
+etcd_download_url: "{{ files_repo }}/kubernetes/etcd/etcd-v{{ etcd_version }}-linux-{{ image_arch }}.tar.gz"
+cni_download_url: "{{ files_repo }}/kubernetes/cni/cni-plugins-linux-{{ image_arch }}-v{{ cni_version }}.tgz"
+crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-v{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
 # If using Calico
-calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
+calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # If using Calico with kdd
-calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_version }}.tar.gz"
+calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/v{{ calico_version }}.tar.gz"
 # Containerd
 containerd_download_url: "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz"
 runc_download_url: "{{ files_repo }}/runc.{{ image_arch }}"
@@ -136,7 +136,7 @@ If you use the settings like the one above, you'll need to define in your invent
 
 * `registry_host`: Container image registry. If you _don't_ use the same repository path for the container images that
   the ones defined
-  in [kubesprays-defaults's role defaults](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/kubespray-defaults/defaults/main/download.yml)
+  in [kubesprays-defaults's role defaults](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/kubespray_defaults/defaults/main/download.yml)
   , you need to override the `*_image_repo` for these container images. If you want to make your life easier, use the
   same repository path, you won't have to override anything else.
 * `registry_addr`: Container image registry, but only have [domain or ip]:[port].

docs/operations/upgrades.md

@@ -15,7 +15,6 @@ versions. Here are all version vars for each component:
 * calico_cni_version
 * weave_version
 * flannel_version
-* kubedns_version
 
 > **Warning**
 > [Attempting to upgrade from an older release straight to the latest release is unsupported and likely to break something](https://github.com/kubernetes-sigs/kubespray/issues/3849#issuecomment-451386515)
@@ -84,7 +83,7 @@ If you don't want to upgrade all nodes in one run, you can use `--limit` [patter
 Before using `--limit` run playbook `facts.yml` without the limit to refresh facts cache for all nodes:
 
 ```ShellSession
-ansible-playbook facts.yml -b -i inventory/sample/hosts.ini
+ansible-playbook playbooks/facts.yml -b -i inventory/sample/hosts.ini
 ```
 
 After this upgrade control plane and etcd groups [#5147](https://github.com/kubernetes-sigs/kubespray/issues/5147):

extra_playbooks/migrate_openstack_provider.yml

@@ -12,7 +12,7 @@
   hosts: kube_control_plane[0]
   tasks:
     - name: Include kubespray-default variables
-      include_vars: ../roles/kubespray-defaults/defaults/main/main.yml
+      include_vars: ../roles/kubespray_defaults/defaults/main/main.yml
     - name: Copy get_cinder_pvs.sh to first control plane node
       copy:
         src: get_cinder_pvs.sh

extra_playbooks/upgrade-only-k8s.yml

@@ -14,7 +14,7 @@
   hosts: localhost
   gather_facts: false
   roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray_defaults}
     - { role: bastion-ssh-config, tags: ["localhost", "bastion"]}
 
 - name: Bootstrap hosts OS for Ansible
@@ -22,18 +22,18 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   gather_facts: false
   vars:
-    # Need to disable pipelining for bootstrap-os as some systems have requiretty in sudoers set, which makes pipelining
-    # fail. bootstrap-os fixes this on these systems, so in later plays it can be enabled.
+    # Need to disable pipelining for bootstrap_os as some systems have requiretty in sudoers set, which makes pipelining
+    # fail. bootstrap_os fixes this on these systems, so in later plays it can be enabled.
     ansible_ssh_pipelining: false
   roles:
-    - { role: kubespray-defaults}
-    - { role: bootstrap-os, tags: bootstrap-os}
+    - { role: kubespray_defaults}
+    - { role: bootstrap_os, tags: bootstrap_os}
 
 - name: Preinstall
   hosts: k8s_cluster:etcd:calico_rr
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray_defaults}
     - { role: kubernetes/preinstall, tags: preinstall }
 
 - name: Handle upgrades to control plane components first to maintain backwards compat.
@@ -41,7 +41,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   serial: 1
   roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray_defaults}
     - { role: upgrade/pre-upgrade, tags: pre-upgrade }
     - { role: kubernetes/node, tags: node }
     - { role: kubernetes/control-plane, tags: master, upgrade_cluster_setup: true }
@@ -54,8 +54,8 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   serial: "{{ serial | default('20%') }}"
   roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray_defaults}
     - { role: upgrade/pre-upgrade, tags: pre-upgrade }
     - { role: kubernetes/node, tags: node }
     - { role: upgrade/post-upgrade, tags: post-upgrade }
-    - { role: kubespray-defaults}
+    - { role: kubespray_defaults}

galaxy.yml

@@ -2,7 +2,7 @@
 namespace: kubernetes_sigs
 description: Deploy a production ready Kubernetes cluster
 name: kubespray
-version: 2.28.0
+version: 2.28.1
 readme: README.md
 authors:
   - The Kubespray maintainers (https://kubernetes.slack.com/channels/kubespray)

inventory/sample/group_vars/all/all.yml

@@ -57,7 +57,7 @@ loadbalancer_apiserver_healthcheck_port: 8081
 # https_proxy: ""
 # https_proxy_cert_file: ""
 
-## Refer to roles/kubespray-defaults/defaults/main/main.yml before modifying no_proxy
+## Refer to roles/kubespray_defaults/defaults/main/main.yml before modifying no_proxy
 # no_proxy: ""
 
 ## Some problems may occur when downloading files over https proxy due to ansible bug

inventory/sample/group_vars/all/oci.yml

@@ -43,7 +43,6 @@
 #   ocid1.subnet.oc1.phx.aaaaaaaahuxrgvs65iwdz7ekwgg3l5gyah7ww5klkwjcso74u3e4i64hvtvq: ocid1.securitylist.oc1.iad.aaaaaaaaqti5jsfvyw6ejahh7r4okb2xbtuiuguswhs746mtahn72r7adt7q
 ## If oci_use_instance_principals is true, you do not need to set the region, tenancy, user, key, passphrase, or fingerprint
 # oci_use_instance_principals: false
-# oci_cloud_controller_version: 0.6.0
 ## If you would like to control OCI query rate limits for the controller
 # oci_rate_limit:
 #   rate_limit_qps_read:

inventory/sample/group_vars/all/offline.yml

@@ -18,9 +18,9 @@
 # quay_image_repo: "{{ registry_host }}"
 
 ## Kubernetes components
-# kubeadm_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubeadm"
-# kubectl_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubectl"
-# kubelet_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubelet"
+# kubeadm_download_url: "{{ files_repo }}/dl.k8s.io/release/v{{ kube_version }}/bin/linux/{{ image_arch }}/kubeadm"
+# kubectl_download_url: "{{ files_repo }}/dl.k8s.io/release/v{{ kube_version }}/bin/linux/{{ image_arch }}/kubectl"
+# kubelet_download_url: "{{ files_repo }}/dl.k8s.io/release/v{{ kube_version }}/bin/linux/{{ image_arch }}/kubelet"
 
 
 ## Two options - Override entire repository or override only a single binary.
@@ -33,24 +33,24 @@
 
 ## [Optional] 2 - Override a specific binary
 ## CNI Plugins
-# cni_download_url: "{{ files_repo }}/github.com/containernetworking/plugins/releases/download/{{ cni_version }}/cni-plugins-linux-{{ image_arch }}-{{ cni_version }}.tgz"
+# cni_download_url: "{{ files_repo }}/github.com/containernetworking/plugins/releases/download/v{{ cni_version }}/cni-plugins-linux-{{ image_arch }}-v{{ cni_version }}.tgz"
 
 ## cri-tools
-# crictl_download_url: "{{ files_repo }}/github.com/kubernetes-sigs/cri-tools/releases/download/{{ crictl_version }}/crictl-{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
+# crictl_download_url: "{{ files_repo }}/github.com/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/crictl-v{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
 
 ## [Optional] etcd: only if you use etcd_deployment=host
-# etcd_download_url: "{{ files_repo }}/github.com/etcd-io/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-{{ image_arch }}.tar.gz"
+# etcd_download_url: "{{ files_repo }}/github.com/etcd-io/etcd/releases/download/v{{ etcd_version }}/etcd-v{{ etcd_version }}-linux-{{ image_arch }}.tar.gz"
 
 # [Optional] Calico: If using Calico network plugin
-# calicoctl_download_url: "{{ files_repo }}/github.com/projectcalico/calico/releases/download/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
+# calicoctl_download_url: "{{ files_repo }}/github.com/projectcalico/calico/releases/download/v{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
 # [Optional] Calico with kdd: If using Calico network plugin with kdd datastore
-# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/archive/{{ calico_version }}.tar.gz"
+# calico_crds_download_url: "{{ files_repo }}/github.com/projectcalico/calico/archive/v{{ calico_version }}.tar.gz"
 
 # [Optional] Cilium: If using Cilium network plugin
-# ciliumcli_download_url: "{{ files_repo }}/github.com/cilium/cilium-cli/releases/download/{{ cilium_cli_version }}/cilium-linux-{{ image_arch }}.tar.gz"
+# ciliumcli_download_url: "{{ files_repo }}/github.com/cilium/cilium-cli/releases/download/v{{ cilium_cli_version }}/cilium-linux-{{ image_arch }}.tar.gz"
 
 # [Optional] helm: only if you set helm_enabled: true
-# helm_download_url: "{{ files_repo }}/get.helm.sh/helm-{{ helm_version }}-linux-{{ image_arch }}.tar.gz"
+# helm_download_url: "{{ files_repo }}/get.helm.sh/helm-v{{ helm_version }}-linux-{{ image_arch }}.tar.gz"
 
 # [Optional] crun: only if you set crun_enabled: true
 # crun_download_url: "{{ files_repo }}/github.com/containers/crun/releases/download/{{ crun_version }}/crun-{{ crun_version }}-linux-{{ image_arch }}"
@@ -62,13 +62,13 @@
 # cri_dockerd_download_url: "{{ files_repo }}/github.com/Mirantis/cri-dockerd/releases/download/v{{ cri_dockerd_version }}/cri-dockerd-{{ cri_dockerd_version }}.{{ image_arch }}.tgz"
 
 # [Optional] runc: if you set container_manager to containerd or crio
-# runc_download_url: "{{ files_repo }}/github.com/opencontainers/runc/releases/download/{{ runc_version }}/runc.{{ image_arch }}"
+# runc_download_url: "{{ files_repo }}/github.com/opencontainers/runc/releases/download/v{{ runc_version }}/runc.{{ image_arch }}"
 
 # [Optional] cri-o: only if you set container_manager: crio
 # crio_download_base: "download.opensuse.org/repositories/devel:kubic:libcontainers:stable"
 # crio_download_crio: "http://{{ crio_download_base }}:/cri-o:/"
-# crio_download_url: "{{ files_repo }}/storage.googleapis.com/cri-o/artifacts/cri-o.{{ image_arch }}.{{ crio_version }}.tar.gz"
-# skopeo_download_url: "{{ files_repo }}/github.com/lework/skopeo-binary/releases/download/{{ skopeo_version }}/skopeo-linux-{{ image_arch }}"
+# crio_download_url: "{{ files_repo }}/storage.googleapis.com/cri-o/artifacts/cri-o.{{ image_arch }}.v{{ crio_version }}.tar.gz"
+# skopeo_download_url: "{{ files_repo }}/github.com/lework/skopeo-binary/releases/download/v{{ skopeo_version }}/skopeo-linux-{{ image_arch }}"
 
 # [Optional] containerd: only if you set container_runtime: containerd
 # containerd_download_url: "{{ files_repo }}/github.com/containerd/containerd/releases/download/v{{ containerd_version }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz"

inventory/sample/group_vars/all/openstack.yml

@@ -1,5 +1,4 @@
 ## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (Fixed in 1.9: https://github.com/kubernetes/kubernetes/issues/50461)
-# openstack_blockstorage_version: "v1/v2/auto (default)"
 # openstack_blockstorage_ignore_volume_az: yes
 ## When OpenStack is used, if LBaaSv2 is available you can enable it with the following 2 variables.
 # openstack_lbaas_enabled: True

inventory/sample/group_vars/all/vsphere.yml

@@ -7,26 +7,6 @@
 # external_vsphere_datacenter: "DATACENTER_name"
 # external_vsphere_kubernetes_cluster_id: "kubernetes-cluster-id"
 
-## Vsphere version where located VMs
-# external_vsphere_version: "6.7u3"
-
-## Tags for the external vSphere Cloud Provider images
-## registry.k8s.io/cloud-pv-vsphere/cloud-provider-vsphere
-# external_vsphere_cloud_controller_image_tag: "v1.31.0"
-## registry.k8s.io/csi-vsphere/syncer
-# vsphere_syncer_image_tag: "v3.3.1"
-## registry.k8s.io/sig-storage/csi-attacher
-# vsphere_csi_attacher_image_tag: "v3.4.0"
-## registry.k8s.io/csi-vsphere/driver
-# vsphere_csi_controller: "v3.3.1"
-## registry.k8s.io/sig-storage/livenessprobe
-# vsphere_csi_liveness_probe_image_tag: "v2.6.0"
-## registry.k8s.io/sig-storage/csi-provisioner
-# vsphere_csi_provisioner_image_tag: "v3.1.0"
-## registry.k8s.io/sig-storage/csi-resizer
-## makes sense only for vSphere version >=7.0
-# vsphere_csi_resizer_tag: "v1.3.0"
-
 ## To use vSphere CSI plugin to provision volumes set this value to true
 # vsphere_csi_enabled: true
 # vsphere_csi_controller_replicas: 1

inventory/sample/group_vars/k8s_cluster/addons.yml

@@ -67,7 +67,6 @@ local_volume_provisioner_enabled: false
 
 # Gateway API CRDs
 gateway_api_enabled: false
-# gateway_api_experimental_channel: false
 
 # Nginx ingress controller deployment
 ingress_nginx_enabled: false
@@ -149,7 +148,6 @@ cert_manager_enabled: false
 metallb_enabled: false
 metallb_speaker_enabled: "{{ metallb_enabled }}"
 metallb_namespace: "metallb-system"
-# metallb_version: 0.13.9
 # metallb_protocol: "layer2"
 # metallb_port: "7472"
 # metallb_memberlist_port: "7946"
@@ -211,7 +209,6 @@ metallb_namespace: "metallb-system"
 #             - pool2
 
 argocd_enabled: false
-# argocd_version: 2.14.5
 # argocd_namespace: argocd
 # Default password:
 #   - https://argo-cd.readthedocs.io/en/stable/getting_started/#4-login-using-the-cli
@@ -239,6 +236,7 @@ kube_vip_enabled: false
 # kube_vip_cp_detect: false
 # kube_vip_leasename: plndr-cp-lock
 # kube_vip_enable_node_labeling: false
+# kube_vip_lb_fwdmethod: local
 
 # Node Feature Discovery
 node_feature_discovery_enabled: false

inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml

@@ -16,9 +16,6 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
 
 kube_api_anonymous_auth: true
 
-## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: 1.32.2
-
 # Where the binaries will be downloaded.
 # Note: ensure that you've enough disk space (about 1G)
 local_release_dir: "/tmp/releases"

inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml

@@ -1,6 +1,4 @@
 ---
-# cilium_version: "1.15.9"
-
 # Log-level
 # cilium_debug: false
 
@@ -177,6 +175,10 @@ cilium_l2announcements: false
 ### Buffer size of the channel to receive monitor events.
 # cilium_hubble_event_queue_size: 50
 
+# Override the DNS suffix that Hubble-Relay uses to resolve its peer service.
+# It defaults to the inventory's `dns_domain`.
+# cilium_hubble_peer_service_cluster_domain: "{{ dns_domain }}"
+
 # IP address management mode for v1.9+.
 # https://docs.cilium.io/en/v1.9/concepts/networking/ipam/
 # cilium_ipam_mode: kubernetes
@@ -255,6 +257,10 @@ cilium_l2announcements: false
 #   - name: "blue-pool"
 #     cidrs:
 #       - "10.0.10.0/24"
+#     ranges:
+#       - start: "20.0.20.100"
+#         stop: "20.0.20.200"
+#       - start: "1.2.3.4"
 
 # -- Configure BGP Instances (New bgpv2 API v1.16+)
 # cilium_bgp_cluster_configs:

inventory/sample/group_vars/k8s_cluster/k8s-net-custom-cni.yml

@@ -45,7 +45,7 @@
 # custom_cni_chart_repository_name: cilium
 # custom_cni_chart_repository_url: https://helm.cilium.io
 # custom_cni_chart_ref: cilium/cilium
-# custom_cni_chart_version: 1.14.3
+# custom_cni_chart_version: <chart version> (e.g.: 1.14.3)
 # custom_cni_chart_values:
 #   cluster:
 #     name: "cilium-demo"

inventory/sample/group_vars/k8s_cluster/k8s-net-kube-router.yml

@@ -1,11 +1,5 @@
 # See roles/network_plugin/kube-router/defaults/main.yml
 
-# Kube router version
-# Default to v2
-# kube_router_version: "2.0.0"
-# Uncomment to use v1 (Deprecated)
-# kube_router_version: "1.6.0"
-
 # Enables Pod Networking -- Advertises and learns the routes to Pods via iBGP
 # kube_router_run_router: true
 

pipeline.Dockerfile

@@ -47,8 +47,8 @@ RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \
     && pip install --no-compile --no-cache-dir pip -U \
     && pip install --no-compile --no-cache-dir -r tests/requirements.txt \
     && pip install --no-compile --no-cache-dir -r requirements.txt \
-    && curl -L https://dl.k8s.io/release/v1.32.3/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
-    && echo $(curl -L https://dl.k8s.io/release/v1.32.3/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
+    && curl -L https://dl.k8s.io/release/v1.32.8/bin/linux/$(dpkg --print-architecture)/kubectl -o /usr/local/bin/kubectl \
+    && echo $(curl -L https://dl.k8s.io/release/v1.32.8/bin/linux/$(dpkg --print-architecture)/kubectl.sha256) /usr/local/bin/kubectl | sha256sum --check \
     && chmod a+x /usr/local/bin/kubectl \
     # Install Vagrant
     && curl -LO https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}-1_$(dpkg --print-architecture).deb \

playbooks/boilerplate.yml

@@ -30,10 +30,17 @@
         key: "{{ (group_names | intersect(item.value) | length > 0) | ternary(item.key, '_all') }}"
       loop: "{{ group_mappings | dict2items }}"
 
+- name: Check inventory settings
+  hosts: all
+  gather_facts: false
+  tags: always
+  roles:
+    - validate_inventory
+
 - name: Install bastion ssh config
   hosts: bastion[0]
   gather_facts: false
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: bastion-ssh-config, tags: ["localhost", "bastion"] }

playbooks/cluster.yml

@@ -11,12 +11,15 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes/preinstall, tags: preinstall }
     - { role: "container-engine", tags: "container-engine", when: deploy_container_engine }
     - { role: download, tags: download, when: "not skip_downloads" }
 
 - name: Install etcd
+  vars:
+    etcd_cluster_setup: true
+    etcd_events_cluster_setup: "{{ etcd_events_cluster_enabled }}"
   import_playbook: install_etcd.yml
 
 - name: Install Kubernetes nodes
@@ -25,7 +28,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes/node, tags: node }
 
 - name: Install the control plane
@@ -34,7 +37,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes/control-plane, tags: master }
     - { role: kubernetes/client, tags: client }
     - { role: kubernetes-apps/cluster_roles, tags: cluster-roles }
@@ -45,12 +48,16 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes/kubeadm, tags: kubeadm}
     - { role: kubernetes/node-label, tags: node-label }
     - { role: kubernetes/node-taint, tags: node-taint }
+    - role: kubernetes-apps/gateway_api
+      when: gateway_api_enabled
+      tags: gateway_api
+      delegate_to: "{{ groups['kube_control_plane'][0] }}"
+      run_once: true
     - { role: network_plugin, tags: network }
-    - { role: kubernetes-apps/kubelet-csr-approver, tags: kubelet-csr-approver }
 
 - name: Install Calico Route Reflector
   hosts: calico_rr
@@ -58,7 +65,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: network_plugin/calico/rr, tags: ['network', 'calico_rr'] }
 
 - name: Patch Kubernetes for Windows
@@ -67,7 +74,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"] }
 
 - name: Install Kubernetes apps
@@ -76,7 +83,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes-apps/external_cloud_controller, tags: external-cloud-controller }
     - { role: kubernetes-apps/network_plugin, tags: network }
     - { role: kubernetes-apps/policy_controller, tags: policy-controller }
@@ -90,5 +97,5 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf, dns_late: true }

playbooks/facts.yml

@@ -5,19 +5,17 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   gather_facts: false
   environment: "{{ proxy_disable_env }}"
-  vars:
-    # Need to disable pipelining for bootstrap-os as some systems have requiretty in sudoers set, which makes pipelining
-    # fail. bootstrap-os fixes this on these systems, so in later plays it can be enabled.
-    ansible_ssh_pipelining: false
   roles:
-    - { role: bootstrap-os, tags: bootstrap-os}
-    - { role: kubespray-defaults }
+    - { role: bootstrap_os, tags: bootstrap_os}
 
 - name: Gather facts
   hosts: k8s_cluster:etcd:calico_rr
   gather_facts: false
   tags: always
   tasks:
+    - name: Gather and compute network facts
+      import_role:
+        name: network_facts
     - name: Gather minimal facts
       setup:
         gather_subset: '!all'

playbooks/install_etcd.yml

@@ -2,7 +2,7 @@
 - name: Add worker nodes to the etcd play if needed
   hosts: kube_node
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
   tasks:
     - name: Check if nodes needs etcd client certs (depends on network_plugin)
       group_by:
@@ -20,10 +20,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - role: etcd
       tags: etcd
-      vars:
-        etcd_cluster_setup: true
-        etcd_events_cluster_setup: "{{ etcd_events_cluster_enabled }}"
       when: etcd_deployment_type != "kubeadm"

playbooks/recover_control_plane.yml

@@ -6,7 +6,7 @@
   hosts: etcd[0]
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray_defaults}
     - role: recover_control_plane/etcd
       when: etcd_deployment_type != "kubeadm"
 
@@ -14,7 +14,7 @@
   hosts: kube_control_plane[0]
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray_defaults}
     - { role: recover_control_plane/control-plane }
 
 - name: Apply whole cluster install
@@ -24,5 +24,5 @@
   hosts: kube_control_plane
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray_defaults}
     - { role: recover_control_plane/post-recover }

playbooks/remove_node.yml

@@ -42,8 +42,8 @@
       service_facts:
       when: reset_nodes | default(True) | bool
   roles:
-    - { role: kubespray-defaults, when: reset_nodes | default(True) | bool }
-    - { role: remove-node/pre-remove, tags: pre-remove }
+    - { role: kubespray_defaults, when: reset_nodes | default(True) | bool }
+    - { role: remove_node/pre_remove, tags: pre-remove }
     - role: remove-node/remove-etcd-node
       when: "'etcd' in group_names"
     - { role: reset, tags: reset, when: reset_nodes | default(True) | bool }
@@ -54,5 +54,5 @@
   gather_facts: false
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults, when: reset_nodes | default(True) | bool }
+    - { role: kubespray_defaults, when: reset_nodes | default(True) | bool }
     - { role: remove-node/post-remove, tags: post-remove }

playbooks/reset.yml

@@ -30,6 +30,6 @@
 
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults}
+    - { role: kubespray_defaults}
     - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf, dns_early: true }
     - { role: reset, tags: reset }

playbooks/scale.yml

@@ -5,22 +5,11 @@
 - name: Gather facts
   import_playbook: facts.yml
 
-- name: Generate the etcd certificates beforehand
-  hosts: etcd:kube_control_plane
-  gather_facts: false
-  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
-  environment: "{{ proxy_disable_env }}"
-  roles:
-    - { role: kubespray-defaults }
-    - role: etcd
-      tags: etcd
-      vars:
-        etcd_cluster_setup: false
-        etcd_events_cluster_setup: false
-      when:
-        - etcd_deployment_type != "kubeadm"
-        - kube_network_plugin in ["calico", "flannel", "canal", "cilium"] or cilium_deploy_additionally | default(false) | bool
-        - kube_network_plugin != "calico" or calico_datastore == "etcd"
+- name: Install etcd
+  vars:
+    etcd_cluster_setup: false
+    etcd_events_cluster_setup: false
+  import_playbook: install_etcd.yml
 
 - name: Download images to ansible host cache via first kube_control_plane node
   hosts: kube_control_plane[0]
@@ -28,7 +17,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults, when: "not skip_downloads and download_run_once and not download_localhost" }
+    - { role: kubespray_defaults, when: "not skip_downloads and download_run_once and not download_localhost" }
     - { role: kubernetes/preinstall, tags: preinstall, when: "not skip_downloads and download_run_once and not download_localhost" }
     - { role: download, tags: download, when: "not skip_downloads and download_run_once and not download_localhost" }
 
@@ -38,7 +27,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes/preinstall, tags: preinstall }
     - { role: container-engine, tags: "container-engine", when: deploy_container_engine }
     - { role: download, tags: download, when: "not skip_downloads" }
@@ -57,7 +46,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes/node, tags: node }
 
 - name: Upload control plane certs and retrieve encryption key
@@ -66,7 +55,7 @@
   gather_facts: false
   tags: kubeadm
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
   tasks:
     - name: Upload control plane certificates
       command: >-
@@ -88,7 +77,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes/kubeadm, tags: kubeadm }
     - { role: kubernetes/node-label, tags: node-label }
     - { role: kubernetes/node-taint, tags: node-taint }
@@ -100,5 +89,5 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf, dns_late: true }

playbooks/upgrade_cluster.yml

@@ -11,7 +11,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults, when: "not skip_downloads and download_run_once and not download_localhost"}
+    - { role: kubespray_defaults, when: "not skip_downloads and download_run_once and not download_localhost"}
     - { role: kubernetes/preinstall, tags: preinstall, when: "not skip_downloads and download_run_once and not download_localhost" }
     - { role: download, tags: download, when: "not skip_downloads and download_run_once and not download_localhost" }
 
@@ -21,7 +21,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes/preinstall, tags: preinstall }
     - { role: download, tags: download, when: "not skip_downloads" }
 
@@ -32,10 +32,13 @@
   environment: "{{ proxy_disable_env }}"
   serial: "{{ serial | default('20%') }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: container-engine, tags: "container-engine", when: deploy_container_engine }
 
 - name: Install etcd
+  vars:
+    etcd_cluster_setup: true
+    etcd_events_cluster_setup: "{{ etcd_events_cluster_enabled }}"
   import_playbook: install_etcd.yml
 
 - name: Handle upgrades to control plane components first to maintain backwards compat.
@@ -45,7 +48,7 @@
   environment: "{{ proxy_disable_env }}"
   serial: 1
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: upgrade/pre-upgrade, tags: pre-upgrade }
     - { role: upgrade/system-upgrade, tags: system-upgrade }
     - { role: download, tags: download, when: "system_upgrade and system_upgrade_reboot != 'never' and not skip_downloads" }
@@ -67,7 +70,7 @@
   serial: "{{ serial | default('20%') }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes-apps/external_cloud_controller, tags: external-cloud-controller }
     - { role: network_plugin, tags: network }
     - { role: kubernetes-apps/network_plugin, tags: network }
@@ -80,7 +83,7 @@
   environment: "{{ proxy_disable_env }}"
   serial: "{{ serial | default('20%') }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: upgrade/pre-upgrade, tags: pre-upgrade }
     - { role: upgrade/system-upgrade, tags: system-upgrade }
     - { role: download, tags: download, when: "system_upgrade and system_upgrade_reboot != 'never' and not skip_downloads" }
@@ -97,7 +100,7 @@
   any_errors_fatal: true
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"] }
 
 - name: Install Calico Route Reflector
@@ -106,7 +109,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: network_plugin/calico/rr, tags: network }
 
 - name: Install Kubernetes apps
@@ -115,7 +118,7 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes-apps/ingress_controller, tags: ingress-controller }
     - { role: kubernetes-apps/external_provisioner, tags: external-provisioner }
     - { role: kubernetes-apps, tags: apps }
@@ -126,5 +129,5 @@
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   environment: "{{ proxy_disable_env }}"
   roles:
-    - { role: kubespray-defaults }
+    - { role: kubespray_defaults }
     - { role: kubernetes/preinstall, when: "dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'", tags: resolvconf, dns_late: true }

requirements.txt

@@ -1,6 +1,6 @@
 ansible==9.13.0
 # Needed for community.crypto module
-cryptography==44.0.2
+cryptography==45.0.2
 # Needed for jinja2 json_query templating
 jmespath==1.0.1
 # Needed for ansible.utils.ipaddr

roles/bootstrap-os/tasks/amzn.yml

@@ -1,27 +0,0 @@
----
-- name: Enable selinux-ng repo for Amazon Linux for container-selinux
-  command: amazon-linux-extras enable selinux-ng
-
-- name: Enable EPEL repo for Amazon Linux
-  yum_repository:
-    name: epel
-    file: epel
-    description: Extra Packages for Enterprise Linux 7 - $basearch
-    baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch
-    gpgcheck: true
-    gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
-    skip_if_unavailable: true
-    enabled: true
-    repo_gpgcheck: false
-  when: epel_enabled
-
-# iproute is required for networking related facts gathering
-# See https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#package-requirements-for-fact-gathering
-# Note: It is not recommended way, but since the tasks execution order, put it here is the simplest way so far. We can move it to a proper place later.
-# TODO: move this to roles/kubernetes/preinstall/vars/main.yml -> pkgs variables
-# Currently not possible because the collect the network facts before that step, needs reordering of the exec flow.
-- name: Ensure iproute is installed
-  package:
-    name: iproute
-    state: present
-  become: true

roles/bootstrap-os/tasks/clear-linux-os.yml

@@ -1,27 +0,0 @@
----
-# ClearLinux ships with Python installed
-
-- name: Install basic package to run containers
-  package:
-    name: containers-basic
-    state: present
-
-- name: Make sure docker service is enabled
-  systemd_service:
-    name: docker
-    masked: false
-    enabled: true
-    daemon_reload: true
-    state: started
-  become: true
-
-# iproute2 is required for networking related facts gathering
-# See https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#package-requirements-for-fact-gathering
-# Note: It is not recommended way, but since the tasks execution order, put it here is the simplest way so far. We can move it to a proper place later.
-# TODO: move this to roles/kubernetes/preinstall/vars/main.yml -> pkgs variables
-# Currently not possible because the collect the network facts before that step, needs reordering of the exec flow.
-- name: Ensure iproute2 is installed
-  package:
-    name: iproute2
-    state: present
-  become: true

roles/bootstrap-os/tasks/main.yml

@@ -1,57 +1,10 @@
 ---
-- name: Fetch /etc/os-release
-  raw: cat /etc/os-release
-  register: os_release
-  changed_when: false
-  # This command should always run, even in check mode
-  check_mode: false
+- name: Warn for usage of deprecated role
+  fail:
+    msg: bootstrap-os is deprecated, switch to bootstrap_os
+  ignore_errors: true # noqa ignore-errors
+  run_once: true
 
-- name: Include distro specifics vars and tasks
-  vars:
-    os_release_dict: "{{ os_release.stdout_lines | select('regex', '^.+=.*$') | map('regex_replace', '\"', '') |
-                         map('split', '=') | community.general.dict }}"
-  block:
-  - name: Include vars
-    include_vars: "{{ item }}"
-    tags:
-    - facts
-    with_first_found:
-    - &search
-      files:
-      - "{{ os_release_dict['ID'] }}-{{ os_release_dict['VARIANT_ID'] }}.yml"
-      - "{{ os_release_dict['ID'] }}.yml"
-      paths:
-      - vars/
-      skip: true
-  - name: Include tasks
-    include_tasks: "{{ included_tasks_file }}"
-    with_first_found:
-    - <<: *search
-      paths: []
-    loop_control:
-      loop_var: included_tasks_file
-
-
-- name: Create remote_tmp for it is used by another module
-  file:
-    path: "{{ ansible_remote_tmp | default('~/.ansible/tmp') }}"
-    state: directory
-    mode: "0700"
-
-- name: Gather facts
-  setup:
-    gather_subset: '!all'
-    filter: ansible_*
-
-- name: Assign inventory name to unconfigured hostnames (non-CoreOS, non-Flatcar, Suse and ClearLinux, non-Fedora)
-  hostname:
-    name: "{{ inventory_hostname }}"
-  when: override_system_hostname
-
-- name: Ensure bash_completion.d folder exists
-  file:
-    name: /etc/bash_completion.d/
-    state: directory
-    owner: root
-    group: root
-    mode: "0755"
+- name: Compat for direct role import
+  import_role:
+    name: bootstrap_os

roles/bootstrap_os/defaults/main.yml

@@ -9,6 +9,9 @@ rh_subscription_check_timeout: 180
 # Disable locksmithd or leave it in its current state
 coreos_locksmithd_disable: false
 
+# Install epel repo on Centos/RHEL
+epel_enabled: false
+
 ## Oracle Linux specific variables
 # Install public repo on Oracle Linux
 use_oracle_public_repo: true
@@ -16,6 +19,8 @@ use_oracle_public_repo: true
 ## Ubuntu specific variables
 # Disable unattended-upgrades for Linux kernel and all packages start with linux- on Ubuntu
 ubuntu_kernel_unattended_upgrades_disabled: false
+# Stop unattended-upgrades if it is currently running on Ubuntu
+ubuntu_stop_unattended_upgrades: false
 
 fedora_coreos_packages:
   - python

roles/bootstrap_os/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: kubespray_defaults

roles/bootstrap_os/molecule/default/converge.yml

@@ -4,4 +4,4 @@
   gather_facts: false
   become: true
   roles:
-    - role: bootstrap-os
+    - role: bootstrap_os

roles/bootstrap_os/tasks/amzn.yml

@@ -0,0 +1,16 @@
+---
+- name: Enable selinux-ng repo for Amazon Linux for container-selinux
+  command: amazon-linux-extras enable selinux-ng
+
+- name: Enable EPEL repo for Amazon Linux
+  yum_repository:
+    name: epel
+    file: epel
+    description: Extra Packages for Enterprise Linux 7 - $basearch
+    baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch
+    gpgcheck: true
+    gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
+    skip_if_unavailable: true
+    enabled: true
+    repo_gpgcheck: false
+  when: epel_enabled

roles/bootstrap_os/tasks/centos.yml

@@ -108,22 +108,3 @@
   when:
     - fastestmirror.stat.exists
     - not centos_fastestmirror_enabled
-
-# libselinux-python is required on SELinux enabled hosts
-# See https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#managed-node-requirements
-- name: Install libselinux python package
-  package:
-    name: "{{ ((ansible_distribution_major_version | int) < 8) | ternary('libselinux-python', 'python3-libselinux') }}"
-    state: present
-  become: true
-
-# iproute is required for networking related facts gathering
-# See https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#package-requirements-for-fact-gathering
-# Note: It is not recommended way, but since the tasks execution order, put it here is the simplest way so far. We can move it to a proper place later.
-# TODO: move this to roles/kubernetes/preinstall/vars/main.yml -> pkgs variables
-# Currently not possible because the collect the network facts before that step, needs reordering of the exec flow.
-- name: Ensure iproute is installed
-  package:
-    name: iproute
-    state: present
-  become: true

roles/bootstrap_os/tasks/clear-linux-os.yml

@@ -0,0 +1,16 @@
+---
+# ClearLinux ships with Python installed
+
+- name: Install basic package to run containers
+  package:
+    name: containers-basic
+    state: present
+
+- name: Make sure docker service is enabled
+  systemd_service:
+    name: docker
+    masked: false
+    enabled: true
+    daemon_reload: true
+    state: started
+  become: true

roles/bootstrap_os/tasks/debian.yml

@@ -62,14 +62,3 @@
     - '"changed its" in bootstrap_update_apt_result.stdout'
     - '"value from" in bootstrap_update_apt_result.stdout'
   ignore_errors: true
-
-# iproute2 is required for networking related facts gathering
-# See https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#package-requirements-for-fact-gathering
-# Note: It is not recommended way, but since the tasks execution order, put it here is the simplest way so far. We can move it to a proper place later.
-# TODO: move this to roles/kubernetes/preinstall/vars/main.yml -> pkgs variables
-# Currently not possible because the collect the network facts before that step, needs reordering of the exec flow.
-- name: Ensure iproute2 is installed
-  package:
-    name: iproute2
-    state: present
-  become: true

roles/bootstrap_os/tasks/fedora.yml

@@ -28,14 +28,3 @@
   become: true
   when:
     - need_bootstrap.rc != 0
-
-# iproute is required for networking related facts gathering
-# See https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#package-requirements-for-fact-gathering
-# Note: It is not recommended way, but since the tasks execution order, put it here is the simplest way so far. We can move it to a proper place later.
-# TODO: move this to roles/kubernetes/preinstall/vars/main.yml -> pkgs variables
-# Currently not possible because the collect the network facts before that step, needs reordering of the exec flow.
-- name: Ensure iproute is installed
-  package:
-    name: iproute
-    state: present
-  become: true

roles/bootstrap_os/tasks/flatcar.yml

@@ -23,7 +23,7 @@
 
 - name: Make interpreter discovery works on Flatcar
   set_fact:
-    ansible_interpreter_python_fallback: "{{ (ansible_interpreter_python_fallback | default([])) + [ '/opt/bin/python' ] }}"
+    ansible_interpreter_python_fallback: "{{ (ansible_interpreter_python_fallback | default([])) + ['/opt/bin/python'] }}"
 
 - name: Disable auto-upgrade
   systemd_service:

roles/bootstrap_os/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+- name: Fetch /etc/os-release
+  raw: cat /etc/os-release
+  register: os_release
+  changed_when: false
+  # This command should always run, even in check mode
+  check_mode: false
+
+- name: Include distro specifics vars and tasks
+  vars:
+    os_release_dict: "{{ os_release.stdout_lines | select('regex', '^.+=.*$') | map('regex_replace', '\"', '') |
+                         map('split', '=') | community.general.dict }}"
+  block:
+  - name: Include vars
+    include_vars: "{{ item }}"
+    tags:
+    - facts
+    with_first_found:
+    - &search
+      files:
+      - "{{ os_release_dict['ID'] }}-{{ os_release_dict['VARIANT_ID'] }}.yml"
+      - "{{ os_release_dict['ID'] }}.yml"
+      paths:
+      - vars/
+      skip: true
+  - name: Include tasks
+    include_tasks: "{{ included_tasks_file }}"
+    with_first_found:
+    - <<: *search
+      paths: []
+    loop_control:
+      loop_var: included_tasks_file
+
+- name: Install system packages
+  import_role:
+    name: system_packages
+  tags:
+  - system-packages
+
+- name: Create remote_tmp for it is used by another module
+  file:
+    path: "{{ ansible_remote_tmp | default('~/.ansible/tmp') }}"
+    state: directory
+    mode: "0700"
+
+- name: Gather facts
+  setup:
+    gather_subset: '!all'
+    filter: ansible_*
+
+- name: Assign inventory name to unconfigured hostnames (non-CoreOS, non-Flatcar, Suse and ClearLinux, non-Fedora)
+  hostname:
+    name: "{{ inventory_hostname }}"
+  when: override_system_hostname
+
+- name: Ensure bash_completion.d folder exists
+  file:
+    name: /etc/bash_completion.d/
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"

roles/bootstrap_os/tasks/opensuse.yml

@@ -83,15 +83,3 @@
       - apparmor-parser
     state: present
   become: true
-
-# iproute2 is required for networking related facts gathering
-# See https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#package-requirements-for-fact-gathering
-# Note: It is not recommended way, but since the tasks execution order, put it here is the simplest way so far. We can move it to a proper place later.
-# TODO: move this to roles/kubernetes/preinstall/vars/main.yml -> pkgs variables
-# Currently not possible because the collect the network facts before that step, needs reordering of the exec flow.
-- name: Ensure iproute2 is installed
-  community.general.zypper:
-    name: iproute2
-    state: present
-    update_cache: true
-  become: true

roles/bootstrap_os/tasks/rhel.yml

@@ -93,22 +93,3 @@
   when:
     - fastestmirror.stat.exists
     - not centos_fastestmirror_enabled
-
-# libselinux-python is required on SELinux enabled hosts
-# See https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#managed-node-requirements
-- name: Install libselinux python package
-  package:
-    name: "{{ ((ansible_distribution_major_version | int) < 8) | ternary('libselinux-python', 'python3-libselinux') }}"
-    state: present
-  become: true
-
-# iproute is required for networking related facts gathering
-# See https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html#package-requirements-for-fact-gathering
-# Note: It is not recommended way, but since the tasks execution order, put it here is the simplest way so far. We can move it to a proper place later.
-# TODO: move this to roles/kubernetes/preinstall/vars/main.yml -> pkgs variables
-# Currently not possible because the collect the network facts before that step, needs reordering of the exec flow.
-- name: Ensure iproute is installed
-  package:
-    name: iproute
-    state: present
-  become: true

roles/bootstrap_os/tasks/ubuntu.yml

@@ -19,3 +19,11 @@
   when:
     - ubuntu_kernel_unattended_upgrades_disabled
     - unattended_upgrades_file_stat.stat.exists
+
+- name: Stop unattended-upgrades service
+  service:
+    name: unattended-upgrades
+    state: stopped
+    enabled: false
+  become: true
+  when: ubuntu_stop_unattended_upgrades

roles/container-engine/containerd-common/defaults/main.yml

@@ -3,15 +3,3 @@
 # manager controlled installs to direct download ones.
 containerd_package: 'containerd.io'
 yum_repo_dir: /etc/yum.repos.d
-
-# Keep minimal repo information around for cleanup
-containerd_repo_info:
-  repos:
-
-# Ubuntu docker-ce repo
-containerd_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu"
-containerd_ubuntu_repo_component: "stable"
-
-# Debian docker-ce repo
-containerd_debian_repo_base_url: "https://download.docker.com/linux/debian"
-containerd_debian_repo_component: "stable"

roles/container-engine/containerd/defaults/main.yml

@@ -17,8 +17,8 @@ containerd_runc_runtime:
   root: ""
   base_runtime_spec: cri-base.json
   options:
-    systemdCgroup: "{{ containerd_use_systemd_cgroup | ternary('true', 'false') }}"
-    binaryName: "{{ bin_dir }}/runc"
+    SystemdCgroup: "{{ containerd_use_systemd_cgroup | ternary('true', 'false') }}"
+    BinaryName: "{{ bin_dir }}/runc"
 
 containerd_additional_runtimes: []
 # Example for Kata Containers as additional runtime:

roles/container-engine/containerd/molecule/default/converge.yml

@@ -5,5 +5,5 @@
   vars:
     container_manager: containerd
   roles:
-    - role: kubespray-defaults
+    - role: kubespray_defaults
     - role: container-engine/containerd

roles/container-engine/containerd/molecule/default/prepare.yml

@@ -6,8 +6,9 @@
   vars:
     ignore_assert_errors: true
   roles:
-    - role: kubespray-defaults
-    - role: bootstrap-os
+    - role: kubespray_defaults
+    - role: bootstrap_os
+    - role: network_facts
     - role: kubernetes/preinstall
     - role: adduser
       user: "{{ addusers.kube }}"
@@ -25,5 +26,5 @@
     ignore_assert_errors: true
     kube_network_plugin: cni
   roles:
-    - role: kubespray-defaults
+    - role: kubespray_defaults
     - role: network_plugin/cni

roles/container-engine/containerd/tasks/main.yml

@@ -1,31 +1,4 @@
 ---
-- name: Fail containerd setup if distribution is not supported
-  fail:
-    msg: "{{ ansible_distribution }} is not supported by containerd."
-  when:
-    - not (allow_unsupported_distribution_setup | default(false)) and (ansible_distribution not in containerd_supported_distributions)
-
-- name: Containerd | Remove any package manager controlled containerd package
-  package:
-    name: "{{ containerd_package }}"
-    state: absent
-  when:
-    - not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk") or (ansible_distribution == "Flatcar"))
-
-- name: Containerd | Remove containerd repository
-  file:
-    path: "{{ yum_repo_dir }}/containerd.repo"
-    state: absent
-  when:
-    - ansible_os_family in ['RedHat']
-
-- name: Containerd | Remove containerd repository
-  apt_repository:
-    repo: "{{ item }}"
-    state: absent
-  with_items: "{{ containerd_repo_info.repos }}"
-  when: ansible_pkg_mgr == 'apt'
-
 - name: Containerd | Download containerd
   include_tasks: "../../../download/tasks/download_file.yml"
   vars:
@@ -41,21 +14,6 @@
       - --strip-components=1
   notify: Restart containerd
 
-- name: Containerd | Remove orphaned binary
-  file:
-    path: "/usr/bin/{{ item }}"
-    state: absent
-  when:
-    - containerd_bin_dir != "/usr/bin"
-    - not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk") or (ansible_distribution == "Flatcar"))
-  ignore_errors: true  # noqa ignore-errors
-  with_items:
-    - containerd
-    - containerd-shim
-    - containerd-shim-runc-v1
-    - containerd-shim-runc-v2
-    - ctr
-
 - name: Containerd | Generate systemd service for containerd
   template:
     src: containerd.service.j2

roles/container-engine/containerd/tasks/reset.yml

@@ -1,22 +1,4 @@
 ---
-- name: Containerd | Remove containerd repository for RedHat os family
-  file:
-    path: "{{ yum_repo_dir }}/containerd.repo"
-    state: absent
-  when:
-    - ansible_os_family in ['RedHat']
-  tags:
-    - reset_containerd
-
-- name: Containerd | Remove containerd repository for Debian os family
-  apt_repository:
-    repo: "{{ item }}"
-    state: absent
-  with_items: "{{ containerd_repo_info.repos }}"
-  when: ansible_pkg_mgr == 'apt'
-  tags:
-    - reset_containerd
-
 - name: Containerd | Stop containerd service
   service:
     name: containerd

roles/container-engine/containerd/templates/config.toml.j2

@@ -76,10 +76,8 @@ oom_score = {{ containerd_oom_score }}
   [plugins."io.containerd.cri.v1.images".registry]
     config_path = "{{ containerd_cfg_dir }}/certs.d"
 
-{% if nri_enabled %}
   [plugins."io.containerd.nri.v1.nri"]
-    disable = false
-{% endif %}
+    disable = {{ 'false' if nri_enabled else 'true' }}
 
 {% if containerd_tracing_enabled %}
   [plugins."io.containerd.tracing.processor.v1.otlp"]

roles/container-engine/containerd/vars/debian.yml

@@ -1,7 +0,0 @@
----
-containerd_repo_info:
-  repos:
-    - >
-      deb {{ containerd_debian_repo_base_url }}
-      {{ ansible_distribution_release | lower }}
-      {{ containerd_debian_repo_component }}

roles/container-engine/containerd/vars/ubuntu.yml

@@ -1,7 +0,0 @@
----
-containerd_repo_info:
-  repos:
-    - >
-      deb {{ containerd_ubuntu_repo_base_url }}
-      {{ ansible_distribution_release | lower }}
-      {{ containerd_ubuntu_repo_component }}

roles/container-engine/cri-dockerd/molecule/default/converge.yml

@@ -5,5 +5,5 @@
   vars:
     container_manager: docker
   roles:
-    - role: kubespray-defaults
+    - role: kubespray_defaults
     - role: container-engine/cri-dockerd

roles/container-engine/cri-dockerd/molecule/default/prepare.yml

@@ -3,8 +3,8 @@
   hosts: all
   become: true
   roles:
-    - role: kubespray-defaults
-    - role: bootstrap-os
+    - role: kubespray_defaults
+    - role: bootstrap_os
     - role: adduser
       user: "{{ addusers.kube }}"
   tasks:
@@ -20,7 +20,7 @@
     container_manager: containerd
     kube_network_plugin: cni
   roles:
-    - role: kubespray-defaults
+    - role: kubespray_defaults
     - role: network_plugin/cni
   tasks:
     - name: Copy test container files

roles/container-engine/cri-o/molecule/default/converge.yml

@@ -5,5 +5,5 @@
   vars:
     container_manager: crio
   roles:
-    - role: kubespray-defaults
+    - role: kubespray_defaults
     - role: container-engine/cri-o

roles/container-engine/cri-o/molecule/default/prepare.yml

@@ -6,8 +6,9 @@
   vars:
     ignore_assert_errors: true
   roles:
-    - role: kubespray-defaults
-    - role: bootstrap-os
+    - role: kubespray_defaults
+    - role: bootstrap_os
+    - role: network_facts
     - role: kubernetes/preinstall
     - role: adduser
       user: "{{ addusers.kube }}"
@@ -25,7 +26,7 @@
     ignore_assert_errors: true
     kube_network_plugin: cni
   roles:
-    - role: kubespray-defaults
+    - role: kubespray_defaults
     - role: network_plugin/cni
   tasks:
     - name: Copy test container files

roles/container-engine/cri-o/tasks/main.yaml

@@ -180,7 +180,7 @@
     dest: /etc/containers/storage.conf
     section: storage.options.overlay
     option: mountopt
-    value: '{{ ''"nodev"'' if ansible_kernel is version_compare(("4.18" if ansible_os_family == "RedHat" else "4.19"), "<") else ''"nodev,metacopy=on"'' }}'
+    value: '{{ ''"nodev"'' if ansible_kernel is version(("4.18" if ansible_os_family == "RedHat" else "4.19"), "<") else ''"nodev,metacopy=on"'' }}'
     mode: "0644"
 
 - name: Cri-o | create directory registries configs

roles/container-engine/docker/tasks/main.yml

@@ -50,7 +50,7 @@
   apt_key:
     id: "{{ item }}"
     url: "{{ docker_repo_key_info.url }}"
-    keyring: "{{ docker_repo_key_keyring|default(omit) }}"
+    keyring: "{{ docker_repo_key_keyring | default(omit) }}"
     state: present
   register: keyserver_task_result
   until: keyserver_task_result is succeeded

roles/container-engine/gvisor/molecule/default/converge.yml

@@ -6,6 +6,6 @@
     gvisor_enabled: true
     container_manager: containerd
   roles:
-    - role: kubespray-defaults
+    - role: kubespray_defaults
     - role: container-engine/containerd
     - role: container-engine/gvisor

roles/container-engine/gvisor/molecule/default/prepare.yml

@@ -3,8 +3,8 @@
   hosts: all
   become: true
   roles:
-    - role: kubespray-defaults
-    - role: bootstrap-os
+    - role: kubespray_defaults
+    - role: bootstrap_os
     - role: adduser
       user: "{{ addusers.kube }}"
   tasks:
@@ -20,7 +20,7 @@
     container_manager: containerd
     kube_network_plugin: cni
   roles:
-    - role: kubespray-defaults
+    - role: kubespray_defaults
     - role: network_plugin/cni
     - role: container-engine/crictl
   tasks:

roles/container-engine/kata-containers/molecule/default/converge.yml

@@ -6,6 +6,6 @@
     kata_containers_enabled: true
     container_manager: containerd
   roles:
-    - role: kubespray-defaults
+    - role: kubespray_defaults
     - role: container-engine/containerd
     - role: container-engine/kata-containers